httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 57580] Perl code in "User-Agent" field is being executed and causing an exploit
Date Fri, 13 Feb 2015 20:23:01 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=57580

--- Comment #10 from D. Stussy <software+httpd@kd6lvw.ampr.org> ---
Show me where BASH is called in this SSI using mod_include:

<HTML><HEAD>
    <TITLE>Error 400 - Bad Request or Syntax Error</TITLE>
    <META NAME="DC.Date.Created"  CONTENT="2002-05-10 00:00:00">
    <META NAME="DC.Date.Modified" CONTENT="2010-03-15 00:00:00">
    <META NAME="Description" CONTENT="HTTP Server 400 Error Page">
    <META NAME="Classification" CONTENT="HTTP Server Error Handler Page">
    <META NAME="Robots" CONTENT="NoIndex,NoFollow,NoArchive,NoCache,NoSnippet">
    <META HTTP-EQUIV="Content-Type" CONTENT="Text/HTML; CHARSET=iso-8859-1">
</HEAD><BODY TEXT=BLACK BGCOLOR=WHITE LINK=BLUE VLINK=RED ALINK="#33FF33">
<B>An <FONT COLOR=RED>ERROR</FONT> has occurred:&nbsp; Access to that
web page,
script, or other service has been denied.&nbsp; Either an error has been made
in
the target page or service, or your web browser issued an improper or malformed
request.&nbsp; Try again.</B>
<BR CLEAR=BOTH><HR><TABLE ALIGN=CENTER BGCOLOR=LIGHTCYAN WIDTH=100%><TR>
    <TD ALIGN=RIGHT><B>Requested Page:</B></TD>
    <TD><B>http<!--#if expr="$HTTPS = on" -->s<!--#endif -->://<!--#echo
        var="HTTP_HOST" var="REQUEST_URI" --></B></TD>
<!--#if expr="$HTTP_REFERER" --></TR><TR>
    <TD ALIGN=RIGHT><B>Referring Page:</B></TD>
    <TD><B><!--#echo var="HTTP_REFERER" --></B></TD>
<!--#endif --></TR><TR>
    <TD ALIGN=RIGHT><B>Requested From:</B></TD>
    <TD><B><!--#echo var="REMOTE_ADDR" --> : <!--#echo var="REMOTE_PORT"
-->
        <!--#if expr="HTTP_ACCEPT_BROWSER" -->
        <!--#if expr="$HTTP_ACCEPT_BROWSER = msie" -->(Internet Explorer)
        <!--#elif expr="$HTTP_ACCEPT_BROWSER = ns" -->(Netscape)
        <!--#elif expr="$HTTP_ACCEPT_BROWSER = lynx" -->(Lynx)
        <!--#elif expr="$HTTP_ACCEPT_BROWSER = safari" -->(Safari)
        <!--#elif expr="$HTTP_ACCEPT_BROWSER = firefox" -->(Firefox)
        <!--#elif expr="$HTTP_ACCEPT_BROWSER = chrome" -->(Google Chrome)
        <!--#else -->(<!--#echo var="HTTP_ACCEPT_BROWSER" -->)<!--#endif -->
        <!--#endif --><!--#if expr="$REDIRECT_REQUEST_METHOD" -->
        [<!--#echo var="REDIRECT_REQUEST_METHOD" -->]<!--#else -->
        [<!--#echo var="REQUEST_METHOD" -->]<!--#endif --></B></TD>
<!--#if expr="$HTTPS" --></TR><TR>
    <TD ALIGN=RIGHT><B>Encryption Method:</B></TD>
    <TD><B><!--#echo var="SSL_PROTOCOL_VERSION" --><!--#echo var="HTTPS_CIPHER"
        --><!--#echo var="HTTPS_KEYSIZE" --></B></TD>
<!--#endif --><!--#if expr="$REMOTE_USER" --></TR><TR>
    <TD ALIGN=RIGHT><B>Validated User:</B></TD>
    <TD><B><!--#echo var="REMOTE_USER" --></B></TD>
<!--#endif --></TR></TABLE><HR></BODY></HTML>


I see no #execs (direct) and no #include virutals (indirect) directives here. 
BASH is never invoked, yet this script is still vulnerable to the bug.  Not
only that, I don't explicitly use the "USER_AGENT" variable in the script (but
it is used in the configuration file to set the "HTTP_ACCEPT_BROWSER" value by
using BrowserMatch statements).

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message